[Freeipa-users] Adding cross realm trust principals

2014-07-21 Thread Andreas Ladanyi
Hello, i want to migrate an existing MIT Kerberos Realm to IPA and want to setup a cross realm trust relationship. I exactly have the problem discussed on this Mailinglist https://www.redhat.com/archives/freeipa-users/2013-November/msg00213.html and want to ask if there is now a new way to

[Freeipa-users] Extending FreeIPA 3

2014-09-18 Thread Andreas Ladanyi
Hi, i'am using centos 6.5 and ipa-server 3.0.0, 37.el6 package. I want to expose a ldap attribute in the Web UI and red the following slides: https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf My problem ist that i cant find a plugin location path

[Freeipa-users] Migrate KRB DB hashes to IPA LDAP

2014-10-08 Thread Andreas Ladanyi
Hello, i have the following situation: OpenLDAP with user entries. No userPassword hashes are available. MIT Kerberos with principals and password hashes in the KRB DB. I have migrated the user and group accounts via ipa migrate-ds ... successfully. Now, is it possible to get out the kerberos

Re: [Freeipa-users] Migrate KRB DB hashes to IPA LDAP

2014-10-13 Thread Andreas Ladanyi
On my old system from which i migrated the users/group accounts uses the Kerberos own DB without LDAP for the principals. I could dump the master key : kdb5_util dump filename K/M@REALM Now i have a lot of numbers in the dumpfile. Which number belongs to which LDAP attribute in the (test)

Re: [Freeipa-users] Migrate KRB DB hashes to IPA LDAP

2014-11-04 Thread Andreas Ladanyi
On Mon, 13 Oct 2014 17:30:58 +0200 Andreas Ladanyi andreas.lada...@kit.edu wrote: On my old system from which i migrated the users/group accounts uses the Kerberos own DB without LDAP for the principals. I could dump the master key : kdb5_util dump filename K/M@REALM Now i have a lot

[Freeipa-users] Migration Webpage doesnt work

2014-11-06 Thread Andreas Ladanyi
Hi, i migrated user data with the ipa migrate-ds script without problems. The users in the old OpenLDAP doesnt have a userPasswort and only the kerberos principal from local KRB DB was used for authentification. After migration FreeIPA doesnt have a userPassword and there is no Kerberos hash.

[Freeipa-users] FreeIPA Kerberos and Single-DES for OpenAFS

2014-11-12 Thread Andreas Ladanyi
Hi, I set up the 389 LDAP server to support des-cbc-crc enctype. I created a principal for OpenAFS. OpenAFS need des-cbc-crc:v4 (single-DES). I created the principal with: kadmin.local -x ipa-setup-override-restrictions The result is: Principal: afs/cellname@Realm Key: vno 1, des-cbc-crc, no

Re: [Freeipa-users] FreeIPA Kerberos and Single-DES for OpenAFS

2014-11-13 Thread Andreas Ladanyi
Hi, I set up the 389 LDAP server to support des-cbc-crc enctype. I created a principal for OpenAFS. OpenAFS need des-cbc-crc:v4 (single-DES). I created the principal with: kadmin.local -x ipa-setup-override-restrictions Please don't do this, use the ipa service-add and ipa-getkeytab

Re: [Freeipa-users] FreeIPA Kerberos and Single-DES for OpenAFS

2014-11-14 Thread Andreas Ladanyi
[root@cc21 ~]# ipa host-add --force afs-cellname.ipacloud.test --- Added host afs-cellname.ipacloud.test --- Host name: afs-cellname.ipacloud.test Principal name: host/afs-cellname.ipacloud.t...@ipacloud.test

Re: [Freeipa-users] FreeIPA Kerberos and Single-DES for OpenAFS

2014-11-17 Thread Andreas Ladanyi
Hi, I set up the 389 LDAP server to support des-cbc-crc enctype. I created a principal for OpenAFS. OpenAFS need des-cbc-crc:v4 (single-DES). I created the principal with: kadmin.local -x ipa-setup-override-restrictions Please don't do this, use the ipa service-add and ipa-getkeytab

Re: [Freeipa-users] FreeIPA Kerberos and Single-DES for OpenAFS

2014-11-18 Thread Andreas Ladanyi
Hi Simo, Thats interesting. Now i can receive afs/cellname@REALM service tickets with des-cbc-crc and aes256 key on the client but only when i execute: kvno -e des-cbc-crc afs/cellname If i execute aklog to obtain an afs token from tgt i get a afs/cellname@REALM service ticket without

[Freeipa-users] ipa-getkeytab -e des3-hmac-sha1 doesnt work

2014-12-01 Thread Andreas Ladanyi
Hi, Server: FreeIPA 3.3.5, Fedora 20 Client: Ubuntu 14.04 ipa-getkeytab -s freeipaserver -p principal@REALM -k /tmp/principal.keytab -e des3-hmac-sha1 -P only results in: klist -k /tmp/principal.keytab -e Keytab name: FILE:/tmp/principal.keytab KVNO Principal

Re: [Freeipa-users] ipa-getkeytab -e des3-hmac-sha1 doesnt work

2014-12-02 Thread Andreas Ladanyi
On Mon, 01 Dec 2014 11:53:11 +0100 Andreas Ladanyi andreas.lada...@kit.edu wrote: Hi, Server: FreeIPA 3.3.5, Fedora 20 Client: Ubuntu 14.04 ipa-getkeytab -s freeipaserver -p principal@REALM -k /tmp/principal.keytab -e des3-hmac-sha1 -P only results in: klist -k /tmp/principal.keytab

[Freeipa-users] Cross-Realm authentification

2014-12-03 Thread Andreas Ladanyi
Hi, iam trying to setup a cross-realm relationship. Generated krbtgt cross-realm principals on both KDCs with the same password and kvno: krbtgt/REALM_B (MIT Kerberos)@REALM_A (FreeIPA 3.3.5) krbtgt/REALM_A@REALM_B getprinc on REALM_A KDC for principal krbtgt/REALM_B@REALM_A: Number of keys:

Re: [Freeipa-users] Cross-Realm authentification

2014-12-04 Thread Andreas Ladanyi
Am 03.12.2014 um 14:53 schrieb Alexander Bokovoy: On Wed, 03 Dec 2014, Andreas Ladanyi wrote: Hi, iam trying to setup a cross-realm relationship. Generated krbtgt cross-realm principals on both KDCs with the same password and kvno: krbtgt/REALM_B (MIT Kerberos)@REALM_A (FreeIPA 3.3.5

Re: [Freeipa-users] Cross-Realm authentification

2014-12-05 Thread Andreas Ladanyi
I'm also getting errors but they are different to yours. Here is what I did: (on master.f21.test, realm F21.TEST): [root@master ~]# kadmin.local -x ipa-setup-override-restrictions -r F21.TEST Authenticating as principal root/ad...@f21.test with password. kadmin.local: addprinc

Re: [Freeipa-users] Cross-Realm authentification

2014-12-05 Thread Andreas Ladanyi
Am 05.12.2014 um 14:04 schrieb Alexander Bokovoy: Ok, i see one difference: i didnt use the -requires_preauth flag. Why did you use them ? Because this is recommended by MIT documentation. The link between realms has to be protected well, including preauth and good passwords for the

[Freeipa-users] Add custom script

2015-09-18 Thread Andreas Ladanyi
Hi, iam looking for a possibility to add custom script which will be executed after creating a new user. Iam using the latest release of FreeIPA 4.2 from COPR in Fedora 22. I found this post in the archive from 2011: https://www.redhat.com/archives/freeipa-users/2011-September/msg00076.html

[Freeipa-users] Custom scripts

2015-09-18 Thread Andreas Ladanyi
Hi, iam looking for a possibility to add custom script which will be executed after creating a new user. Iam using the latest release of FreeIPA 4.2 from COPR in Fedora 22. I found this post in the archive from 2011: https://www.redhat.com/archives/freeipa-users/2011-September/msg00076.html

[Freeipa-users] Add custom script

2015-09-18 Thread Andreas Ladanyi
Hi, Sorry, my last post was with wrong link. iam looking for a possibility to add custom script which will be executed after creating a new user. Iam using the latest release of FreeIPA 4.2 from COPR in Fedora 22. I found this post in the archive:

[Freeipa-users] ipa-client-install error

2015-09-25 Thread Andreas Ladanyi
Hi, I want to install ipa client: ipa-client-install -d I get the following error: Verifying that "MyFreeIPA Server" (realm None) is an IPA server Init LDAP connection to: "MyFreeIPA Server" Error checking LDAP: Connect error: TLS error -8054:You are attempting to import a cert with the same

[Freeipa-users] Moving from ca to ca-less without pki

2016-07-29 Thread Andreas Ladanyi
Hi, is it simply possible to move from ca to a ca-less environment in ipa ? Because its ok for me to only use certificates in web and ldap components. I use freeipa 4.2 , fedora 23. regards, Andreas -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] Migrating to FreeIPA from an existing Heimdal Kerberos and 389-ds deployment

2016-07-15 Thread Andreas Ladanyi
Hi, > Hi all, > > I'm part of the CMU Computer Club and our Kerberos/LDAP deployment has > been a pain point for quite some time. I've heard that FreeIPA might > be a solution worth exploring. > > I would like to try to avoid user visible disruption if possible, > however. This means that we

[Freeipa-users] Replace with 3rd part certificates

2016-06-27 Thread Andreas Ladanyi
Hi, i try to replace the self signed certificate from the ipa installation with this description: http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP ipa-server-certinstall -w -d mysite.key mysite.crt The tool ask for the private key unlock passwort. The private key was

Re: [Freeipa-users] Replace with 3rd part certificates

2016-07-06 Thread Andreas Ladanyi
Hi, is it possible that ipa-server-certinstall couldnt handle private keys without password ? i would test it with a self-signed certificate and test private key file secured with password, but i dont know whats happen after entering a valid private key unlock password. Could i stop the

Re: [Freeipa-users] Replace with 3rd part certificates

2016-07-06 Thread Andreas Ladanyi
Hi Rob, Hi, is it possible that ipa-server-certinstall couldnt handle private keys without password ? You can file an RFE at https://fedorahosted.org/freeipa/newticket It seems that ipa-server-certinstall couldnt handle private keys with passwort, too. See my result below. i would test

[Freeipa-users] FreeIPA doesnt start

2016-06-30 Thread Andreas Ladanyi
Hi, i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 When i want to start IPA with ipactl start i run into the situation starting pki-tomcat take a long time and ipactl aborts the starting process and shutdown services. So IPA doesnt start. ipactl start: Starting Directory

Re: [Freeipa-users] FreeIPA doesnt start

2016-06-30 Thread Andreas Ladanyi
Kerberos 5 Password-changing and Administration > pki-tomcatd@pki-tomcat.service > > loaded failed failedPKI Tomcat Server pki-tomcat > > > Which logfiles are important to analyse this issue of IPA ? > > > Andreas &g

Re: [Freeipa-users] FreeIPA doesnt start

2016-06-30 Thread Andreas Ladanyi
> > org.apache.catalina.startup.ClassLoaderFactory validateFile > WARNING: Problem with JAR file > [/var/lib/pki/pki-tomcat/lib/tomcat-servlet-3.0-api.jar], exists: > [false], canRead: [false] > org.apache.catalina.startup.ClassLoaderFactory validateFile > roblem with JAR file >

Re: [Freeipa-users] FreeIPA doesnt start

2016-07-01 Thread Andreas Ladanyi
Hi Tomasz, > On Thu, Jun 30, 2016 at 02:51:02PM +0200, Andreas Ladanyi wrote: >> Hi, >> >> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 >> >> When i want to start IPA with ipactl start i run into the situation >> starting pki-to

Re: [Freeipa-users] Replace with 3rd part certificates

2016-07-01 Thread Andreas Ladanyi
Hi, > For the time being and as far as I can see until IPA 4.3.1, the procedure is > messy and difficult. > The following thread will be a big help: > https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html > > I think I succeeded at last, but further tests remain. Is it possible

Re: [Freeipa-users] FreeIPA doesnt start

2016-07-01 Thread Andreas Ladanyi
Hi Fraser. >>> Hi, >>> >>> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 >>> >>> When i want to start IPA with ipactl start i run into the situation >>> starting pki-tomcat take a long time and ipactl aborts the starting >>> process and shutdown services. So IPA doesnt start. >>